64-bit ZBOT Leverages Tor, Improves Evasion Techniques

Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques.

Below is a screenshot of the extracted code of TSPY_ZBOT.AAMV, which is injected with the 64-bit ZBOT:

Figure 1. Screenshot of 32-bit ZBOT

Going through the code, the 64-bit version can be seen as a part of the text section (executable code) of the malware.

Figure 2. Screenshot of injected 64-bit ZBOT

Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

These parameters specify how the Tor client will run. In this case, the Tor client runs as a hidden service and specifies the location of the private_key and hostname configuration. TSPY_ZBOT.AAMV then reports to its C&C server the said configuration, which is then relayed to a remote malicious user. The Tor client redirects the network communications in ports 1080 and 5900 to randomly generated ports, which the remote user can now access.

The Tor component will act as a server, which the malicious remote user will use to access an infected system. This ZBOT variant contains Virtual Network Computing (VNC) functionality, which the remote user can then use to execute its desired commands. This functionality of certain ZBOT variants was reported as early as 2010 , effectively creating a remote-control capability for these malware, similar to how a backdoor controls an infected system.

64-bit ZBOT Levels Up Antimalware Evasion Tricks

Aside from these functionalities, we found new routines added to this ZBOT. One is the execution prevention of certain analysis tools such as OllyDbg, WinHex, StudPE, and ProcDump among others.

Another noteworthy addition is this ZBOT’s user mode rootkit capability, which effectively hides the malware processes, files, and registry.

The said variant also hides its dropped files and autostart registry. As the images below show, the malware’s created folders can be seen using the dir command in CMD, but are hidden when browsed via File Explorer.

Figure 3. ZBOT hidden folders visible in CMD using dir command

Figure 4. ZBOT files hidden in File Explorer

As for the TSPY_ZBOT.AAMV autostart registry, created folders and files, users can view this by restarting in Safe mode. Because the malware only has a user mode rootkit capability, which only hides malware-related files and processes as opposed to a kernel mode rootkit, users can delete these while in Safe Mode.

This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.

Trend Micro protects users from this threat by detecting ZBOT variants if found in a system. It also blocks access to known C&C sites of the malware.